A Security Update has been released for Outlook 2016. It resolves the following vulnerability;
- CVE-2020-0760: Microsoft Office Remote Code Execution Vulnerability
A remote code execution vulnerability exists when Microsoft Office improperly loads arbitrary type libraries. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
To exploit the vulnerability, an attacker must first convince a user to open a specially crafted Office document.
The updates address the vulnerability by correcting how Office handles type libraries.
Note: Some types of Visual Basic for Applications (VBA) references might be affected by this update. For more information, see FAQ for VBA solutions affected by April 2020 Office security updates.
This update also contains 3 additional fixes or improvements for non-security issues;
- Makes updates to the United Kingdom holidays in the Outlook holiday file (Outlook.HOL). If the United Kingdom holidays have been added to your Outlook Desktop calendar, delete the existing events before you apply this update. For more information about how to update holidays, see Holiday updates for the Outlook Calendar.
- Fixes an issue that prevents users from reopening an .msg file after they drag and drop an attachment from that message.
- Fixes an issue in which Outlook makes unnecessary requests to fetch web add-ins from Exchange.
Note: This update can be installed via Microsoft Update and updates Outlook to version 16.0.4993.1001. This update does not apply to Perpetual and Office 365 based installations of Office 2016.